MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aa821ae80d1d1c8f14067a485300b69cc6a4c39d470895c02d782d92d31b55e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aa821ae80d1d1c8f14067a485300b69cc6a4c39d470895c02d782d92d31b55e
SHA3-384 hash: 2dc13d0e71f38569a85af21ddb0b20dffa8157231263a0bbb9f7d2d8a0c95bbbff4e01c6801999fcd4ef3247f08d7cd4
SHA1 hash: def3608251cd8819714561a8ffc36956cf17b26b
MD5 hash: 59f36ddb99b26b3adf7f8785ff0998ad
humanhash: lake-orange-ohio-lima
File name:59f36ddb99b26b3adf7f8785ff0998ad.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:312'320 bytes
First seen:2022-05-22 10:15:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bb95bf86a8cf670f8471ed786540749 (1 x RedLineStealer)
ssdeep 6144:rNw+ICpW8Hf6qLHbzMeXGhT9iFUIfaaCp7N:rmG0Af6qjMeXGl95IfaaCp7N
Threatray 4'544 similar samples on MalwareBazaar
TLSH T13B646C00BA51F035F5B32DF8596583A8B52ABFA16B2640CB52DD3AEE523C5E0EC31717
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9824e790c6e72158 (2 x RedLineStealer, 2 x Smoke Loader, 1 x Stop)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
141.255.161.70:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
141.255.161.70:81 https://threatfox.abuse.ch/ioc/623370/

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
59f36ddb99b26b3adf7f8785ff0998ad.exe
Verdict:
No threats detected
Analysis date:
2022-05-22 10:17:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5031030b-33b1-4e52-acdd-792f7a0496ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273399/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19523/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/628a0d706eb3ff32631e894f/reports/ced16a93-78b6-4c43-b9f3-454f9f1f98d3/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11ca2835-e1b5-4681-8eb9-874c2fb47063
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999293
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 631789 Sample: gNf9npGFrQ.exe Startdate: 22/05/2022 Architecture: WINDOWS Score: 100 34 bahninfo.at 2->34 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 9 other signatures 2->60 8 gNf9npGFrQ.exe 2->8         started        11 wwruuha 2->11         started        13 CE29.exe 2->13         started        signatures3 process4 signatures5 74 Detected unpacking (changes PE section rights) 8->74 76 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->76 78 Maps a DLL or memory area into another process 8->78 80 Creates a thread in another existing process (thread injection) 8->80 15 explorer.exe 4 8->15 injected 82 Multi AV Scanner detection for dropped file 11->82 84 Machine Learning detection for dropped file 11->84 86 Checks if the current machine is a virtual machine (disk enumeration) 11->86 process6 dnsIp7 40 rampl.at 94.103.94.98, 49799, 80 VDSINA-ASRU Russian Federation 15->40 42 189.156.132.220, 49807, 49856, 49882 UninetSAdeCVMX Mexico 15->42 44 7 other IPs or domains 15->44 26 C:\Users\user\AppData\Roaming\wwruuha, PE32 15->26 dropped 28 C:\Users\user\AppData\Local\Temp\CE29.exe, PE32 15->28 dropped 30 C:\Users\user\AppData\Local\Temp\2F36.exe, PE32 15->30 dropped 32 C:\Users\user\...\wwruuha:Zone.Identifier, ASCII 15->32 dropped 46 System process connects to network (likely due to code injection or exploit) 15->46 48 Benign windows process drops PE files 15->48 50 Deletes itself after installation 15->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->52 20 2F36.exe 15 3 15->20         started        24 CE29.exe 15->24         started        file8 signatures9 process10 dnsIp11 36 iclarinyerac.xyz 141.255.161.70, 49907, 81 PLI-ASCH Switzerland 20->36 38 api.ip.sb 20->38 62 Detected unpacking (changes PE section rights) 20->62 64 Detected unpacking (overwrites its own PE header) 20->64 66 Performs DNS queries to domains with low reputation 20->66 68 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->68 70 Machine Learning detection for dropped file 24->70 72 Contains functionality to infect the boot sector 24->72 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1aa821ae80d1d1c8f14067a485300b69cc6a4c39d470895c02d782d92d31b55e/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 10:16:08 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkucdlua2hi4r4kam6sikmalnhggutbz2ryisxac26bnsljrwvpa._file
Verdict:
malicious
Similar samples:
07496d9b469cf18651ec5dc207b2d2a28cd3711ca2a0374ae995920d00f65cae
RedLineStealer
1af8db0f539323bebdcd8e72afa8e3a65e8f3950b2c9b59c771187662da1aa1c
RedLineStealer
2ed02cabdb5f2d169cb838c2a79e1d64e7bc54f809aef2087fbc96ae1b822e70
RedLineStealer
4819ff853b534e12c7460dd478d5d60c236885e23338af9e60e42ef226b360de
RedLineStealer
a56ad78fbf9ab91c4fb8e1023d3e653d55b8dfa187cae517ef869c4d16022650
RedLineStealer
+ 4'534 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor evasion trojan
Link:
https://tria.ge/reports/220522-masg3shfg9/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Gathers system information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
SmokeLoader
Malware Config
C2 Extraction:
http://bahninfo.at/upload/
http://img4mobi.com/upload/
http://equix.ru/upload/
http://worldalltv.com/upload/
http://negarehgallery.com/upload/
http://lite-server.ru/upload/
http://piratia/su/upload/
http://go-piratia.ru/upload/
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
https://ny-city-mall.com/search.php
https://fresh-cars.net/search.php
Unpacked files
SH256 hash:
e10525da4e40001ec6e826db24de43dfead9dc0c7b8533eff91970c5aeac683d
MD5 hash:
3fbe5acadf8146459153a1cad2e28838
SHA1 hash:
a9a3c503aca5af600286d2268c3bc4a55b697280
Link:
https://www.unpac.me/results/441bd288-c643-4727-a31a-76dbfc3a887e/
SH256 hash:
1aa821ae80d1d1c8f14067a485300b69cc6a4c39d470895c02d782d92d31b55e
MD5 hash:
59f36ddb99b26b3adf7f8785ff0998ad
SHA1 hash:
def3608251cd8819714561a8ffc36956cf17b26b
Link:
https://www.unpac.me/results/441bd288-c643-4727-a31a-76dbfc3a887e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1aa821ae80d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1aa821ae80d1d1c8f14067a485300b69cc6a4c39d470895c02d782d92d31b55e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1aa821ae80d1d1c8f14067a485300b69cc6a4c39d470895c02d782d92d31b55e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2182082/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273399/

Comments